v9.0.0

[williballenthin]

This release introduces a new scope for dynamic analysis, "span of calls",
that matches features against a across a sliding window of API calls within a thread.
Its useful for identifying behaviors that span multiple API calls,
such as OpenFile/ReadFile/CloseFile, without having to analyze an entire thread, which may be very long.

The release also contains a number of bug fixes and enhancements by new contributors: @v1bh475u and @dhruvak001. Welcome and thank you!

New Features

• add warning for dynamic .NET samples dynamic: warn user for .NET samples #1864 @v1bh475u
• add lint for detecting duplicate features in capa-rules add lint to avoid duplicate features #2250 @v1bh475u
• add span-of-calls scope to match features against a across a sliding window of API calls within a thread @williballenthin dynamic: add "span of calls" scope #2532
• add lint to catch rules that depend on other rules with impossible scope @williballenthin rule set does not correctly validate dependencies across scopes #2124

Breaking Changes

• remove is_static_limitation method from capa.rules.Rule
• add span-of-calls scope to rule format
• capabilities functions return dataclasses instead of tuples

New Rules (3)

• data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library @Ana06
• data-manipulation/encryption/use-bigint-function @Ana06
• internal/limitation/dynamic/internal-dotnet-file-limitation @v1bh475u

Bug Fixes

• dynamic: only check file limitations for static file formats @mr-tz
• vmray: load more analysis archives @mr-tz
• vmray: skip non-printable strings @mike-hunhoff
• vmray: loosen file checks to enable processing more file types @mike-hunhoff vmray: loosen file checks to enable processing of additional file types #2571
• strings: add type hints and fix uncovered bugs @williballenthin strings: fix type hints and uncovered bugs #2555
• elffile: handle symbols without a name @williballenthin KeyError: 'r_info_sym' #2553
• project: remove pytest-cov that wasn't used @williballenthin @2491
• replace binascii methods with native Python methods @v1bh475u Replace binascii and struct with native Python methods #2582
• rules: scopes can now have subscope blocks with the same scope @williballenthin rules: scopes can now have subscope blocks with same scope #2584

Development

• license & copyright: Correct LICENSE file and improve copyright and license information headers in the source code files @Ana06
• documentation: Improve CLA and Code of Conduct information in CONTRIBUTING @Ana06

Raw diffs

• capa v8.0.1...v9.0.0
• capa-rules v8.0.1...v9.0.0

---

This discussion was created from the release v9.0.0.